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A quantum seal is a way of encoding a message into quantum states, so that anybody may 
read the message with little error, while authorized verifiers can detect that the seal has been 
broken. We present a simple extension to the Bechmann-Pasquinucci majority-voting scheme that 
is impervious to coherent attacks, and further, encompasses sealing quantum messages by means of 
quantum encryption. The scheme is relatively easy to implement, requiring neither entanglement 
nor controlled operations during the state preparation, reading or verification stages. 
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a. Introduction: Before the age of electronic communication, important documents were often closed using a 
wafer of molten wax into which was pressed the distinctive seal of the sender. This was meant to fulfil different 
purposes, namely authentication of the sender as well as enabling the receiver to verify that the seal had not been 
broken, and the message read, by a third party. Clearly it is meaningful to extend the scheme to the digital world. 
Recently, Bechmann-Pasquinucci examined a quantum scheme for sealingclassical data pj. As with other related 

£vQ ■ quantum cryptographic schemes, such as quantum keydistribution US 0,13 > it relies on the characteristic features of 
| quantum cryptology, namely the no-cloning theorem |(| and quantum uncertainty to guarantee unconditional security 
whereas classical systems can offer at best computational security. Specifically, Ref. 1] proposes a way to represent 
one bit of classical data by three qubits out of which one of them (the seal qubit) is prepared in a diagonal basis 
state (an eigenstate of the Pauli X or Y operators), while the remaining two (coding qubits) represent the classical 
bit in the computational basis (i.e., eigenbasis of the Pauli Z operator). Using single qubit measurement along the 
■ computational basis plus the classical [3, 1, 3] -majority vote code, anyone can obtain the original classical bit with 
certainty. And at the same time, the authorized verifier, who possesses some additional information on the seal qubit, 
is able to check if the seal was broken with non-negligible probability. This scheme was extended in Ref. Q to the 
O ,' case of quantum messages, using quantum error correction codes. 

In this article, we present a majority vote scheme that guarantees an arbitrarily high probability that a reader 
will unseal the correct message and is impervious even to coherent attacks of the type envisaged in Ref. |l| . It does 
not require the application of any nonlocal (i.e., multi-qubit) gate operations during the preparation, reading and 
verification stages and is hence fairly easy to implement. We believe that ease of implementability is of significance, 
because if security were of prime concern, then quantum key distribution, whose unconditional security has been 
extensively studied, but which can be difficult and expensive to implement, would be the appropriate way to protect 
communication. 

b. A modified scheme: In our modified scheme, a classical bit is still read using a majority voting system as in 
the Bechmann-Pasquinucci protocol, but the coding bits are fewer than the sealing bits. That is, the fraction / of 
coding qubits satisfies / < 1/2. We use the notation where {|0), |1)} represent eigenstates of the computational basis, 
and {|±)} that of the diagonal basis. For example, let us consider a 5-qubit seal (in practice, the seal must be longer, 
as we note later) with two code bits, so that / = 2/5 = 0.4. A bit value b can thus be encoded in any of the following 
combinations, among others: 



|1>|1>|H->|— >j-h) code bits at 1,2 

|0)|+)|0)|-)|+) code bits at 1,3 

|-)l+)|0)|0)|+) code bits at 3,4 

|+)|-)|+)|1)|1) code bits at 4, 5 



b = 1 
6 = 
6 = 

6=1 (1) 



Further, the bit value encoded above is not a message bit: instead, each message bit is first split into shares according 
to a secret sharing scheme || and it is the share bits that are sealed and transmitted. This ensures that the split- 
shared bit can be recovered only by combining the shares in appropriate authorized combinations, and as clarified 
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below, improves security against illegal breaking of the seal. In a simple instance, the shares could simply be s single 
bits such that their bitwise sum is the value of the message bit. Given s, a publicly known security parameter, each 
message bit is classically split-shared into s shares according to a classical secret sharing scheme, in particular a (s, s) 
threshold scheme. Further protection can come by embedding the share bit into the a classical error correction code 

0. It is therefore understood that the majority voting scheme described below is applied not to the message bit 
directly, but to the code bits derived from the message. 

c. Encoding and verification by the sender: To seal a single code bit 6, sender (sealer) Alice chooses n qubits. Of 
these, a fraction / < 0.5 are prepared in the computational basis in the state \b). These qubits are the code qubits. 
The remaining (1 — f)n qubits, which are the seal qubits, are put randomly in any eigenstate of the diagonal basis 
(1/V / 2)(|0)±|1)). First let us see that this suffices to ensure that, with high probability, anyone can read the message, 
especially, considering that the code bits are not in majority. By the large number theorem the expected number of 
seal bits that if measured yield or 1 is (1 — /)0.5n ± — /)0.5n (i.e., a square-root statistical fluctuation). The 
expected number of bits read as the intended, encoded bit is: 

»/e-»(/+ i ^)=n(i + 0. (2) 

To ensure that statistical fluctuation should not drown the signal, we will require that / should be sufficiently large: 

1. e., fn > 2y/ (1 — /)0.5n or n > no = 2(1 — /)/ f 2 . Thus, for example, if we choose / = 0.4, the sealed message length 
should be greater than 8 qubits. If we choose the more delicate / = 0.25, then the sealed message length should be 
greater than 24 qubits. Conversely, given n, f > fo = [\j2n + 1 — l)/n. For example, if n = 40 qubits, then /o = 0.2, 
so that the code qubits should be more than 8. 

This would seem to suggest that the larger is /, the better. This is indeed true for plainly breaking the seal and 
reading the message. However, it also increases insecurity of a kind: suppose one randomly picks one qubit and 
measures its state in the computational basis. The chance of knowing the message bit without being caught equals 
Pchcat = / + (1 - /)(l/2)(l/2) = (3/4)/ + 1/4. In the scheme of Ref. Q, / = 2/3, so that p choa t = 3/4. By setting 
/ — ► 0, we obtain the limit cheating probability of this kind to be (1/4). In practice, in order to guard against 
statistical flucatuations, / should be chosen greater than Jq. Even a cheating probability of 1/4 is too large. However, 
because of the secret sharing the probability that the cheater is caught rapidly rises according to (1 — Pcheat)- 

Suppose the message has been read by someone who measures all qubits in the computational basis. In order to 
verify whether the seal is broken, Alice measures r < (1 — f)n seal qubits on known coordinates in the diagonal basis. 
She checks that the outcomes match her preparation record. With high probability (= 1 — (l/2) r ) she will detect at 
least one mismatch if the seal has been broken, and thus know that the message has been read. (In this work, we 
ignore the effect of noise). Notice that after reading the message, a reader on average knows n(l — /)/2 coordinates, 
where the minority outcome was obtained, to be the seal qubits. But he learns nothing of their original state because 
of the no-cloning theorem and quantum uncertainty. 

d. Intended reader verification: In the case of a classical seal, the receiver is familiar with the design of the symbol 
pressed into the wax, and uses this knowledge to identify the document as authentic. This means prior knowledge 
on the part of the intended receiver or verifier is required. For the present quantum seal, this part of the protocol 
is obtained by Alice providing a distinct set of r,j < (1 — f)n coordinates of the seal qubits and the corresponding- 
preparation information to each authorized reader. The authorized verifier uses projective measurements to determine 
that the seal qubits have not been disturbed, leaving the code qubits untouched. He himself cannot read it because 
he has information only on part of the seal qubits, and does not know which of the remaining qubits are code qubits 
and which seal qubits. Let Rj be the set of coordinates Alice gives to the jth authorized verifier along with the 
corresponding preparation information. In order that all verifiers should not be able to collude and read the message 
without breaking the seal, we require that the union of their sets should be a proper subset of the seal qubits. 
As a consequence, we have | flj Rj\ < (1 — f)n. This will demand a sufficiently large number of seal qubits. An 
alternative scheme is to give the verifiers coordinate information, and quantum information of the seal qubit states, 
for performance of a non-desctructive state comparison involving a control-swap gate y). From the viewpoint of 
implementation, these multi-qubit operations are more difficult relative to the plain projective measurements in our 
case. 

e. Security aspects: As pointed out in Ref. yj, a majority encoding scheme (with / > 0.5) will necessarily 
be insecure against a coherent attack, i.e., one based on collective, incomplete measurement or a suitable positive 
operator-valued measure (POVM) on all qubits taken together. The reason is that any encoding for a bit is orthogonal 
to every encoding for the other bit. For example, in a 3-qubit seal with / = 2/3, the subspace of all states that can 
encode for b — is spanned by the vectors {|0)|0)|0), |0)|0)|1), |0)|1)|0), |1)|0)|0)}, whereas that of states encoding for 
b = 1 by {|1)|1)|1), |1)|1)|0), |1)|0)|1), |0)|1)|1)}. Since these two subspaces are mutually orthogonal, an incomplete 
three-qubit measurement can in principle distinguish them 
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In general, let pb denote the mixed state encoding for code bit b as seen by a potential attacker. A scheme where 
Po and pi have mutually orthogonal support is insecure towards a coherent attack. An important feature of our 
scheme is that because / < 0.5, the supports for po and pi are not mutually orthogonal. For example, in the partial 
listing l[T)l. the first and third vectors are not orthogonal to each other even though they encode for complementary 
bits; likewise nor are the second and fourth vectors. Indeed, any valid encoding for a bit value (say 0) will be non- 
orthogonal to ^^ n Cf n ^ n valid encodings for the other bit value (in this case, 1). Here we note that including the 
mutually unbiased basis states of the Pauli Y operator improves the above count to ( 1- ^ rl C/ n 4^ n 3( 1-2 ^' )n . However, 
the original, simpler scheme also suffices to guarantee unconditional (i.e., exponential in some security parameter) 
security. To see that as a result the two density operators approach indistinguishability rapidly, we use a simple 
measure of closeness between pa and pi, the Hilbert-Schmidt distance: 

d us = Tr [(Po - Pi)Hpo ~ Pi)] • (3) 

To a potential quantum attacker who only knows /, the state encoding for a bit is po — (j l Cf n 2 i - 1 ~^ n ) 1 (|0)(0| ® 
|0)(0| • • • |0)(0| ® |si)(si| <g> • • • <g> \sn_f\ n )(sn_f\ n \ + ■ ■ ■ ) where the summation runs over all n Cj n combinations for 
interspersing the fn copies of the |0) bits amidst the remaining (1 — f)n seal qubits, and the seal qubits can be 
in any of the diagonal basis eigenstates (i.e., those of the Pauli X operator). For simplicity, we assume that the 
eavesdropping attacker has knowledge of /, though in reality he can be worse off. Similarly, the state encoding for a 

one 1 bit is Pl = ("C / „2( 1 -/)")' 1 (|1)(1| ® |1)(1| • • • |1)(1| ® | Sl )( Sl | <g> • • • ® |s (1 _ /)n )( S(1 _ /)n | + •••)■ 

It follows that (p - pi)t = (po - P i) = ^C fn 2 ( ~ l '^ n y 1 (|000 • • • ) (000 ■ • • | - jlll • • • )(111 • • • |) <g> I <g> ■ ■ ■ <g> I + ■ ■ ■ ), 
where the summation runs over all n C/„ combinations for interspersing the (1 — f )n copies of I (single-qubit identity) 
operators amidst the n qubit slots. After some manipulation, we find: 

< 2 _[(i_/)„-i]_ (4) 

where we arrive at the inequality noting that n C m = n ~ m C m + Y^T~ mC i\f C ^ 2m ^ n - lt follows from Eq. Q 
that the two states approach indistinguishability exponentially fast in n. Thus, no matter what POVM strategy the 
attacker chooses, we can increase n to make the chance of detection via a coherent attack arbitrarily small. Further, 
the layer of secret sharing means that the chance of launching such an attack and reading the message without being 
caught is further exponentially diminished. 

/. Extension to sealing of quantum data: The method given above works for sealing classical data. By combining 
it with quantum encryption 10, 11], it can be used to implement quantum seals for sealing quantum data. Quantum 
encryption works as follows: suppose we have a n-qubit quantum state \ tp) and random sequence K of 2n classical bits. 
Each sequential pair of classical bit is associated with a qubit and determines which transformation a G {I, <r x , & y , a z } 
is applied to the respective qubit. If the pair is 00, 1 is applied, if it is 01, a x is applied, and so on. To one not knowing 
K, the resulting is a complete mixture and no information can be extracted out of it because the encryption leaves 
any pure state in a maximally mixed state, that is: (l/4)(I\S)(S\I + a x \S) (S\a x +& y \S){S\& y + a z \S)(S\a z ) = (1/2) J. 
However, with knowledge of K the sequence of operations can be reversed and \tp) recovered. Therefore, classical data 
can be used to encrypt quantum data. 

To seal quantum data \ip), we proceed as follows: (1) encrypt using classical data K to (2) seal classical 
data K in qubits (3) intersperse the qubits amidst those of \ip) according to some combination C; (4) seal C 
using qubits \rjk)- The total quantum seal for quantum data consists of the triple {|V>) S &)j (££) fc \i]k)}- We note if 
the second layer of sealing were absent, and the quantum seal consisted only of {\ip}, &)j a malevolent intruder 

could modify the encrypted data without Bob or the verifiers being able to detect it. 

In order to read the state the reader must first break the first layer seal to retrieve C, from which he obtains 
positional information of the qubits sealing the data K. He retrieves K by breaking the seal of positionally marked 
qubits. He decrypts \ip) using K to obtain There are an exponentially large number of ways of interpolating 
the if -sealing qubits amidst those of \ip). Hence the potential attacker must first obtain positional information by 
breaking the first layer seal, which will lead to detection with high probability. 



^hs - 2 ' "C/i 



Ej=o [ (1 ~ /)nc j][ /nc j] 2l(1_/)n_Jl 

. ["C /n 2(i-/H 2 . 



[1] H. Bechmann-Pasquinucci, eprint quant-ph/0303173 (to appear in Int. Jl. of Quantum Information). 



4 



[2] C. H. Bennett and G. Brassard, in Proceedings of IEEE International Conference on Computers, Systems, and Signal 

Processing at Bangalore (IEEE, New York, 1984), p. 175. 
[3] A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991). 
[4] P. Shor and J. Preskill, Phys. Rev. Lett. 85, 441 (2000). 

[5] N. Gisin, G. Ribordy, W. Tittel and H. Zbinden, Rev. Mod. Phys. 74, 145 (2002). 

[6] W. K. Wooters an d W. H. Zurek, Nat ure 299, 802 (1982). Rev. Mod. Phys. 74, 145 (2002). 

[7] H. F. Chau, eprint quant-ph/0308146 

[8] B. Schneier, Applied Cryptography, Wiley, New york, (1996) p. 70. 

[9] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error- correcting Codes (North-Holland 1977). 
[10] M. Mosca, A. Tapp, R. de Wolf, quant-ph/0003101 

[11] P. O. Boykin and Vwani Roychowdhury, Phys. Rev. A 67, 042317 (2003). 



